Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ethereum Core Devs Meeting 84 Agenda #162

Closed
Souptacular opened this issue Apr 2, 2020 · 17 comments
Closed

Ethereum Core Devs Meeting 84 Agenda #162

Souptacular opened this issue Apr 2, 2020 · 17 comments

Comments

@Souptacular
Copy link
Contributor

Souptacular commented Apr 2, 2020

Ethereum Core Devs Meeting 84 Agenda

Agenda

  1. Eligibility for Inclusion (EFI) EIP Review
  2. Berlin Timing
  3. EIP-2583 Penalty for account trie misses
  4. Testing updates
  5. EIPIP Survey
  6. Review previous decisions made and action items (if notes available)

Next call: April 17, 2020 14:00 UTC

@holiman
Copy link

holiman commented Apr 2, 2020

Some status updates:

@gcolvin
Copy link

gcolvin commented Apr 2, 2020

I have signed off now. It looks great! Thanks, Martin @holiman

@shamatar
Copy link

shamatar commented Apr 2, 2020

Returning back to ethereum/EIPs#2046:

  • SHA256 function was found to NOT depend on current CALL cost pricing and simultaneously hugely overpriced. Recommended to change to 10 + 6 gas per word (32 bytes) from the current 60 + 12 per word
  • Ripemd160 function was found to NOT depend on current CALL cost pricing and simultaneously hugely overpriced. Recommended to change to 12 + 4 gas per word (32 bytes) from the current 600 + 120 per word
  • Blake2f function was found to NOT depend on current CALL cost pricing and simultaneously strangely priced. Recommended to change to 5 + 1 gas per three(!) rounds(!) from the current 1 gas per round. Typically it's 10-12 rounds for the Blake2s/Blake2b, so the main benefit here is removal of the huge CALL cost
  • BN_ADD function was found to NOT depend on current CALL, but was underpriced. It's recommended to change it to 300 gas from the current 150 gas if CALL cost is reduced
  • BN_MUL function was found to NOT depend on current CALL and was well-priced. It's recommended to change it to 6300 gas from the current 6000 gas to account for a worst-case input parameters (largest hamming weight of the scalar)
  • BN_PAIRING function was found to be well priced, no adjustments are necessary. Although I would recommend parity to switch from bn package to pairing_ce or EIP1962 implementation cause those are significantly faster
  • MODEXP - there was a EIP merged that did NOT perform artificial corrections for CALL cost, so we can conclude that function can be treated to NOT depend on current CALL cost

Bonus:

  • keccak256 function was found to consume 10 gas + 4 gas per word (32 bytes) compared to the current 30 + 6 per word (OpenEthereum implementation is just a wrapper on top of tiny-keccak package). Fancy part is that 0, 32, 64 and 128 bytes take the same amount of time, so may be pricing should be changed to elaborate this. Most common use case of Merkle trees would benefit from this, and pricing itself would be more precise. Note that this may be implementation dependent for Rust, but most likely not due to the nature of the sponge construction with 1600 bits of internal state.

@edsonayllon
Copy link
Contributor

Could you add an agenda item for the EIPIP survey?

@MadeofTin
Copy link
Contributor

I won’t be attending this week for EIPs in consideration for Berlin just Read through the list for awareness of what is being worked on.

EIP-1962 and its BLS-Signature working group updates
#152 (comment)
EIP-2515 - Difficulty Bomb
https://ethereum-magicians.org/t/eip-2515-replace-the-difficulty-bomb-with-a-difficulty-freeze/3995
EIP-2315 Simple Subroutines for the EVM 

https://ethereum-magicians.org/t/eip-2315-simple-subroutines-for-the-evm/3941
EIP-2456 Time Based Upgrades

https://ethereum-magicians.org/t/eip-2456-time-based-upgrade-transitions/3902/11

@axic
Copy link
Member

axic commented Apr 3, 2020

MODEXP - there was a EIP merged that did NOT perform artificial corrections for CALL cost, so we can conclude that function can be treated to NOT depend on current CALL cost

@shamatar to be fair I don't think merging a draft constitutes as confirmation that modexp is not relying on call costs

Also on last ACD I mentioned I was working on a document trying to establish cost relationships, so we could reason for the reduction. I haven't gotten to any conclusion yet, but here is my working document: https://hackmd.io/@axic/rJPHqPywI

@holiman
Copy link

holiman commented Apr 3, 2020

I've made a new EIP PR: ethereum/EIPs#2583. File is here: https://github.com/ethereum/EIPs/blob/db1e389aae4e05654703d24862b0db91040bf745/EIPS/eip-draft-trie-penalty.md

It implements a penalty-scheme, which is think is much needed at this point in time. If we have time, I would like to present it to the meeting, to get some initial feedback. Some of you have seen early copies of this eip, but it's been expanded since the initial conception, both in the EIP itself and the investigation into if/how it could disturb existing contracts.

@holiman
Copy link

holiman commented Apr 3, 2020

@shamatar all of what you conclude is only relevant for Parity, and might also be tied to some characteristics of your hardware.

I will try to repro the benchmarks on geth, but I don't know what vectors ot use, so it would be good if you can publish them somewhere. Even if you generated them on the fly, perhaps you can spit out a relevant cross-section? As I see it, we're not even close to being able to draw any conclusions yet, but initial results look good.

@axic
Copy link
Member

axic commented Apr 3, 2020

In such a scenario, the malicious would spend ~750 gas each call to relay, and would need to provide the relay with at least 700 gas to do a trie access.

@holiman maybe it is worth considering the idea which was brought up as part of "Stateless Summit". Have a separate counter, this time for the entire transaction frame, for the penalty counting. This same counter could be used for witness size counting.

Wouldn't it eliminate this attack vector?

@shamatar
Copy link

shamatar commented Apr 3, 2020

@holiman

Vectors are randomly generated from seeded RNG. For hash functions it's just a random input into the string. For Blake2f I place random data everywhere and manually control number of rounds (first 4 bytes as BE encoding of uint32). For point_add and point_mul I take a generator and multiply it by random 248 bit scalar (to not overflow the group order value using RNG). For point_mul worst case scalar is [255] * 32 cause there is no check that the value is in range (smaller than modulus). For pairing I do the same, make N pairs by producing random points in a same manner (now you also need to multiply G2 generator by random scalar).

I believe that hardware dependent part is only a constant of 35_000_000 gas/second using ecrecover reference on my machine. We could expect hardware dependency on 32-bit machines or ARM processors, but for modern 64 bit Intel/AMD only one constant should matter.

@holiman
Copy link

holiman commented Apr 3, 2020

@holiman maybe it is worth considering the idea which was brought up as part of "Stateless Summit". Have a separate counter, this time for the entire transaction frame, for the penalty counting. This same counter could be used for witness size counting.

Wouldn't it eliminate this attack vector?

Definitely maybe. But that idea can be done in several different ways, and depending on what path you go down, the effects on layer-2 can vary wildly.

I'm open to exploring other ideas, but thought that my EIP suggestion above was about as good as I could make it, and wanted to publish it before moving on to exploring some other solution.

@winsvega
Copy link

winsvega commented Apr 3, 2020

Testing updates:

  • Blockchain generation code reworked. blockchain tests could be generated with retesteth now.
  • VMTests generated as blockchain tests
  • Launched test run stats http://retesteth.ethdevops.io/

Testing questions:

  • Should make a discussion call @holiman and see where to direct the testing efforts

@axic
Copy link
Member

axic commented Apr 3, 2020

@shamatar @holiman I would suggest that:

  1. EIP-2046 should be concerned only about the STATICCALL change, with one exception: the price fixing of bnadd and bnmul.
  2. keccak256 could be its own EIP, because it is an EVM opcode.
  3. The other repricings may be conflated into a single EIP.

However it may be a lot of changes and it could make sense to restrict the number of repricings for this hard fork and roll out others later?

@poojaranjan
Copy link
Contributor

  1. Review previous decisions made and action items (if notes available)

Ethereum Core Devs Meeting 83 Notes

@edsonayllon
Copy link
Contributor

edsonayllon commented Apr 6, 2020

Meeting notes for call 84.

@ineffectualproperty
Copy link

@Souptacular - Would it be possible to include https://eips.ethereum.org/EIPS/eip-2565 on the agenda for April 17. Thanks!

@timbeiko
Copy link
Contributor

Closed in favor of #164

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests